• 全部
  • 经验案例
  • 典型配置
  • 技术公告
  • FAQ
  • 漏洞说明
  • 全部
  • 全部
  • 大数据引擎
  • 知了引擎
产品线
搜索
取消
案例类型
发布者
是否解决
是否官方
时间
搜索引擎
匹配模式
高级搜索

MSR3620 nat端口映射问题

2022-01-18提问
  • 0关注
  • 1收藏,818浏览
zhiliao_IIO49h
zhiliao_IIO49h 零段
粉丝:0人 关注:0人

问题描述:

对齐方式

  • 靠左
  • 居中
  • 靠右
  1. nat不起作用,我想外网访问内部192.168.20.3:18082上的服务器,做了以下配置,没起效果


  4. #
  5. version 7.1.064, Release 0821P18
  6. #
  7. sysname H3CROUTE
  8. #
  9. clock timezone Beijing add 08:00:00
  10. clock protocol ntp
  11. #
  12. wlan global-configuration
  13. #
  14. telnet server enable
  15. #
  16. ip unreachables enable
  17. ip ttl-expires enable
  18. #
  19. nat static inbound 218.108.84.204 192.168.20.3
  20. nat static outbound 192.168.20.3 218.108.84.204
  21. #
  22. dhcp enable
  23. dhcp server always-broadcast
  24. #
  25. dns proxy enable
  26. #
  27. system-working-mode standard
  28. password-recovery enable
  29. #
  30. vlan 1
  31. #
  32. object-group ip address 1段
  33. 0 network range 192.168.1.11 192.168.1.250
  34. #
  35. object-group ip address vlan字段
  36. 0 network range 192.168.20.1 192.168.100.254
  37. 0 network exclude 192.168.20.1
  38. 0 network exclude 192.168.20.3
  39. 0 network exclude 192.168.30.1
  40. 0 network exclude 192.168.40.1
  41. 0 network exclude 192.168.50.1
  42. 0 network exclude 192.168.60.1
  43. 0 network exclude 192.168.70.1
  44. #
  45. dhcp server ip-pool GigabitEthernet0/0
  46. gateway-list 192.168.0.1
  47. network 192.168.0.0 mask 255.255.255.0
  48. address range 192.168.0.11 192.168.0.249
  49. dns-list 202.101.172.35 114.114.114.114
  50. #
  51. dhcp server ip-pool GigabitEthernet0/1
  52. gateway-list 192.168.1.1
  53. network 192.168.1.0 mask 255.255.255.0
  54. address range 192.168.1.11 192.168.1.249
  55. dns-list 202.101.172.35 114.114.114.114
  56. #
  57. controller Cellular0/0
  58. #
  59. interface Virtual-Template0
  60. #
  61. interface NULL0
  62. #
  63. interface Vlan-interface1
  64. #
  65. interface GigabitEthernet0/0
  66. port link-mode route
  67. combo enable copper
  68. ip address 192.168.0.1 255.255.255.0
  69. nat static enable
  70. #
  71. interface GigabitEthernet0/1
  72. port link-mode route
  73. combo enable copper
  74. ip address 192.168.1.1 255.255.255.0
  75. nat static enable
  76. attack-defense apply policy AtkInterface3
  77. #
  78. interface GigabitEthernet0/2
  79. port link-mode route
  80. combo enable copper
  81. nat static enable
  82. #
  83. interface GigabitEthernet0/3
  84. port link-mode route
  85. description Multiple_Line
  86. bandwidth 100000
  87. combo enable copper
  88. ip address 115.238.110.154 255.255.255.252
  89. dns server 114.114.114.114
  90. dns server 202.101.172.35
  91. packet-filter name WebHttpHttps5 inbound
  92. qos car inbound any cir 100000 cbs 6250000 ebs 0 green pass red discard yellow pass
  93. qos car outbound any cir 100000 cbs 6250000 ebs 0 green pass red discard yellow pass
  94. nat outbound
  95. nat server protocol tcp global current-interface 18082 inside 192.168.20.3 18082
  96. nat static enable
  97. attack-defense apply policy AtkInterface5
  98. #
  99. interface GigabitEthernet0/4
  100. port link-mode route
  101. nat static enable
  102. #
  103. interface GigabitEthernet0/5
  104. port link-mode route
  105. nat static enable
  106. #
  107. object-policy ip Any-Any
  108. rule 0 pass source-ip vlan字段 app-group limitspeed_120
  109. rule 1 inspect limitspeed source-ip vlan字段
  110. #
  111. security-zone name Local
  112. #
  113. security-zone name Trust
  114. #
  115. security-zone name DMZ
  116. #
  117. security-zone name Untrust
  118. #
  119. security-zone name Management
  120. #
  121. zone-pair security source Any destination Any
  122. object-policy apply ip Any-Any
  123. #
  124. scheduler logfile size 16
  125. #
  126. line class console
  127. user-role network-admin
  128. #
  129. line class tty
  130. user-role network-operator
  131. #
  132. line class usb
  133. user-role network-admin
  134. #
  135. line class vty
  136. user-role network-operator
  137. #
  138. line con 0
  139. user-role network-admin
  140. #
  141. line vty 0 63
  142. authentication-mode scheme
  143. user-role network-operator
  144. #
  145. ip route-static 0.0.0.0 0 GigabitEthernet0/3 115.238.110.153
  146. ip route-static 114.55.101.147 32 115.238.110.153 preference 10
  147. ip route-static 192.168.0.0 16 192.168.1.253
  148. #
  149. info-center loghost 127.0.0.1 port 3301
  150. info-center source CFGLOG loghost level informational
  151. #
  152. performance-management
  153. #
  154. ssh server enable
  155. #
  156. ntp-service enable
  157. ntp-service unicast-server 120.25.108.11
  158. ntp-service unicast-server 203.107.6.88
  159. #
  160. acl advanced name WebHttpHttps5
  161. rule 65533 permit tcp destination-port eq www
  162. rule 65534 permit tcp destination-port eq 443
  163. #
  164. password-control enable 
  165. undo password-control aging enable 
  166. undo password-control history enable 
  167. password-control length 6
  168. password-control login-attempt 3 exceed lock-time 10
  169. password-control update-interval 0
  170. password-control login idle-time 0
  171. #
  172. domain system
  173. #
  174. domain default enable system
  175. #
  176. role name level-0
  177. description Predefined level-0 role
  178. #
  179. role name level-1
  180. description Predefined level-1 role
  181. #
  182. role name level-2
  183. description Predefined level-2 role
  184. #
  185. role name level-3
  186. description Predefined level-3 role
  187. #
  188. role name level-4
  189. description Predefined level-4 role
  190. #
  191. role name level-5
  192. description Predefined level-5 role
  193. #
  194. role name level-6
  195. description Predefined level-6 role
  196. #
  197. role name level-7
  198. description Predefined level-7 role
  199. #
  200. role name level-8
  201. description Predefined level-8 role
  202. #
  203. role name level-9
  204. description Predefined level-9 role
  205. #
  206. role name level-10
  207. description Predefined level-10 role
  208. #
  209. role name level-11
  210. description Predefined level-11 role
  211. #
  212. role name level-12
  213. description Predefined level-12 role
  214. #
  215. role name level-13
  216. description Predefined level-13 role
  217. #
  218. role name level-14
  219. description Predefined level-14 role
  220. #
  221. user-group system
  222. #
  223. local-user admin class manage
  224. service-type ftp
  225. service-type ssh telnet terminal http https
  226. authorization-attribute user-role network-admin
  227. #
  228. connection-limit policy 32
  229. #
  230. app-group limitspeed_120
  231. description "User-defined application group"
  232. include application AndroidMarket
  233. include application AnZhiMarket
  234. include application BaiduWenKu
  235. include application JiFengMarket
  236. include application OnlineDown
  237. include application WanDouJia
  238. #
  239. ip http enable
  240. #
  241. attack-defense policy AtkInterface3
  242. scan detect level high action logging block-source
  243. syn-flood detect non-specific
  244. syn-flood action drop 
  245. udp-flood detect non-specific
  246. udp-flood action drop 
  247. icmp-flood detect non-specific
  248. icmp-flood action drop 
  249. signature detect smurf action drop
  250. signature detect large-icmp action drop
  251. signature detect large-icmpv6 action drop
  252. signature detect tcp-invalid-flags action drop
  253. signature detect tcp-null-flag action drop
  254. signature detect tcp-all-flags action drop
  255. signature detect tcp-syn-fin action drop
  256. signature detect tcp-fin-only action drop
  257. signature detect land action drop
  258. signature detect winnuke action drop
  259. signature detect fraggle action drop
  260. signature detect ip-option record-route action drop
  261. signature detect ip-option strict-source-routing action drop
  262. signature detect icmp-type destination-unreachable action drop
  263. signature detect icmp-type redirect action drop
  264. #
  265. attack-defense policy AtkInterface5
  266. syn-flood detect non-specific
  267. syn-flood action drop 
  268. udp-flood detect non-specific
  269. udp-flood action drop 
  270. icmp-flood detect non-specific
  271. icmp-flood action drop 
  272. signature detect smurf action drop
  273. signature detect large-icmp action drop
  274. signature detect large-icmpv6 action drop
  275. signature detect tcp-invalid-flags action drop
  276. signature detect tcp-null-flag action drop
  277. signature detect tcp-all-flags action drop
  278. signature detect tcp-syn-fin action drop
  279. signature detect tcp-fin-only action drop
  280. signature detect land action drop
  281. signature detect winnuke action drop
  282. signature detect fraggle action drop
  283. signature detect ip-option record-route action drop
  284. signature detect ip-option strict-source-routing action drop
  285. signature detect icmp-type destination-unreachable action drop
  286. signature detect icmp-type redirect action drop
  287. #
  288. url-filter policy limitspeed
  289. default-action permit
  290. #
  291. app-profile limitspeed
  292. url-filter apply policy limitspeed
  293. #
  294. wlan ap-group default-group
  295. vlan 1
  296. #
  297. traffic-policy 
  298. rule 1 name limitspeed_120 
  299.   action qos profile limitspeed_120 
  300.   source-address address-set vlan字段 
  301.   application app AndroidMarket 
  302.   application app AnZhiMarket 
  303.   application app BaiduWenKu 
  304.   application app JiFengMarket 
  305.   application app OnlineDown 
  306.   application app WanDouJia 
  307. profile name limitspeed_120
  308.   bandwidth downstream maximum 100 
  309.   bandwidth upstream maximum 100 
  310. #
  311. return

组网及组网描述:

交换机上做了20/30/40/50/60的vlan,交换机地址192.168.1.253

最佳答案

已采纳
z6Kl9
z6Kl9 九段
粉丝:67人 关注:2人

删除

  1. nat static inbound 218.108.84.204 192.168.20.3
  2. nat static outbound 192.168.20.3 218.108.84.204
  3. ip route-static 114.55.101.147 32 115.238.110.153 preference 10

想要内网访问:

在内网口配置端口回流功能即可

  1. interface GigabitEthernet0/1

nat hairpin enable


2 个回答
按时间 按赞数
漓离原上谱
漓离原上谱 九段
粉丝:111人 关注:1人

nat static inbound 218.108.84.204 192.168.20.3

全局做了全端口映射,需要访问 218.108.84.204  

我路由器地址是115.238.110.154,218.108.84.204这是一个未使用的公网地址,我原来在5200上都是这么配的,都可以使用

zhiliao_IIO49h 发表时间:2022-01-18

不要管之前怎么配置,你的目标服务器,匹配了全端口映射自然不会匹配接口的端口映射

漓离原上谱 发表时间:2022-01-18

我把那条删了,现在是我用手机能访问,但是,在局域网内访问不了

zhiliao_IIO49h 发表时间:2022-01-18

跟踪一下路径 nat static outbound 192.168.20.3 218.108.84.204 这条是回给公网的不是回给内网的

漓离原上谱 发表时间:2022-01-18

NAT hairpin应该是这个功能没开启,这个功能好像在web端是看不到的

zhiliao_IIO49h 发表时间:2022-01-18
zhiliao_IIO49h
zhiliao_IIO49h 知了小白
粉丝:0人 关注:0人

我做了2个映射,一个是端口映射,一个是公网地址的映射,都不成功

编辑答案

你正在编辑答案

如果你要对问题或其他回答进行点评或询问,请使用评论功能。

分享扩散:

提出建议

    +
网站相关
关于我们
服务条款
帮助中心
经验与权限
积分规则
联系我们
联系我们
建议反馈
常用链接
标杆的神器下载
关注我们
H3C官网
新华三服务公众号
安仔远程运维服务
新华三商城
内容许可
除特别说明外,用户内容均可采用知识共享署名-相同方式共享3.0中国大陆许可协议进行许可

Copyright©2024新华三集团保留一切权利 当前呈现版本 NO.1

本图标版权归新华三集团所有,仅限本社区使用,切勿用做商业目的,违者必究

浙ICP备09064986号-1   浙公网安备 33010802004416号

亲~登录后才可以操作哦!

确定

亲~检测到您登陆的账号未在http://hclhub.h3c.com进行注册

注册后可访问此模块

跳转hclhub

你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作

举报

×

侵犯我的权益 >
对根叔社区有害的内容 >
辱骂、歧视、挑衅等(不友善)

侵犯我的权益

×

泄露了我的隐私 >
侵犯了我企业的权益 >
抄袭了我的内容 >
诽谤我 >
辱骂、歧视、挑衅等(不友善)
骚扰我

泄露了我的隐私

×

您好,当您发现根叔知了上有泄漏您隐私的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您认为哪些内容泄露了您的隐私?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)

侵犯了我企业的权益

×

您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 pub.zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
  • 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
  • 3. 是哪家企业?(营业执照,单位登记证明等证件)
  • 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

×

原文链接或出处

诽谤我

×

您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔社区有害的内容

×

垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载 >
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票

不规范转载

×

举报说明